Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue.
This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.
A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.
The described vulnerability allows an attacker to access a Symfony web
application with the attacked user's permissions. The attack requires that the
"Remember Me" login feature is used by the application. Additionally the
attacker either got access to the
PHPSESSID cookie value or has successfully
set a new value in the user's browser. Because of its requirements the
described vulnerability poses a low risk only.
The fix migrates the session after a successful login via the "Remember Me" login feature.
The patch for this issue is available here.
I would like to thank the RedTeam Pentesting GmbH team for reporting this security issue and providing a very detailed description of the problem and how to reproduce it (from which the current advisory is based on). Thanks to Sergey Novikov and Christian Flothmann for writing the fix for the various Symfony versions.